chore(deps): update dependency immer to v9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
immer	^7.0.0 -> ^9.0.0

GitHub Vulnerability Alerts

CVE-2020-28477

Overview

Affected versions of immer are vulnerable to Prototype Pollution.

Proof of exploit

const {applyPatches, enablePatches} = require("immer");
enablePatches();
let obj = {};
console.log("Before : " + obj.polluted);
applyPatches({}, [ { op: 'add', path: [ "__proto__", "polluted" ], value: "yes" } ]);
// applyPatches({}, [ { op: 'replace', path: [ "__proto__", "polluted" ], value: "yes" } ]);
console.log("After : " + obj.polluted);

Remediation

Version 8.0.1 contains a fix for this vulnerability, updating is recommended.

CVE-2021-23436

This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.

CVE-2021-3757

immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').

---

Release Notes

immerjs/immer

v9.0.6

Compare Source

Bug Fixes

• security: Follow up on CVE-2020-28477 where path: [["__proto__"], "x"] could still pollute the prototype (fa671e5)

v9.0.5

Compare Source

Bug Fixes

• release missing dist/ folder (bfb8dec)

v9.0.4

Compare Source

Bug Fixes

• #​791 return 'nothing' should produce undefined patch (5412c9f)
• #​807 new undefined properties should end up in result object (dc3f66c)
• Better applyPatches type (#​810) (09ac097), closes #​809

v9.0.3

Compare Source

Bug Fixes

• isPlainObject: add quick comparison between input and Object to short-circuit taxing Function.toString invocations (#​805) (07575f3)

v9.0.2

Compare Source

Bug Fixes

• #​785 fix type inference for produce incorrectly inferring promise (#​786) (6555173)

v9.0.1

Compare Source

Bug Fixes

• #​768 immerable field being lost during patch value cloning (#​771) (e0b7c01)

v9.0.0

Compare Source

feature

• Improved typescript types (2c2f30e), closes #​720

BREAKING CHANGES

• It is no longer allowed to return nothing from a recipe if the target state doesn't accept undefined.
• It is no longer allowed to return arbitrary things from a recipe. Recipes should either return nothing, or something that is assignable to the original state type. This will catch mistakes with accidental returns earlier.

v8.0.4

Compare Source

Bug Fixes

• make sure isPlainObject checks support objects send accross frames. Fixes #​766 / #​405 (5ae3547)

v8.0.3

Compare Source

Bug Fixes

• new Immer().produce now has the same type as produce. Fixes #​749 (f8b77d1)

v8.0.2

Compare Source

Bug Fixes

• Add a type-checking fast path for primitive types (#​755) (d395efe)
• Ignore equal reference assignments. Fixes #​648 (3b4286d)

v8.0.1

Compare Source

Bug Fixes

• Fixed security issue #​738: prototype pollution possible when applying patches CVE-2020-28477 (da2bd4f)

v8.0.0

Compare Source

feature

• Always freeze by default (#​702) (a406c8f)

BREAKING CHANGES

• always freeze by default, even in production mode. Use setAutoFreeze(process.env.NODE_ENV !== 'production') for the old behavior. See https://github.com/immerjs/immer/issues/687#issuecomment-728881754 for the rationale. Fixes #​649, #​681, #​687

v7.0.15

Compare Source

Bug Fixes

• make plugin loading idempotent, fixes #​692 (754331b)

v7.0.14

Compare Source

Bug Fixes

• build issue. Fixes #​685 (?) (9007be0)

v7.0.13

Compare Source

Bug Fixes

• reconcile if the original value is assigned after creating a draft. Fixes #​659 (c0e6749)

v7.0.12

Compare Source

Bug Fixes

• undraftable values should not be cloned for patches, fixes #​676 (1b70ad5)

v7.0.11

Compare Source

Bug Fixes

• skip ReadonlyMap and ReadonlySet types when not available (#​653). Fixes #​624 (12f4cf8)

v7.0.10

Compare Source

Bug Fixes

• Clearing empty Set&Map should be noop (#​682). Fixes #​680 (33a305b)

v7.0.9

Compare Source

Bug Fixes

• clear map creates invalid patches, fixes #​663 (bacc1e0)

v7.0.8

Compare Source

Bug Fixes

• Use a named type for Draft object for smaller type declaration files (a1a0da0)
• use Array.prototype.slice() for copying arrays. Fixes #​650 (bf90358)
• use Array.prototype.slice() for copying arrays. Fixes #​650 (bb40c36)

v7.0.7

Compare Source

Bug Fixes

• made NOTHING and IMMERABLE shared symbols. Fixes #​632 (b1c6a8e)
• make sure changing an undefined value to undefined is not picked up as change. Fixes #​646 (5521527)
• out of range assignments were broken in ES5 mode. Fixes #​638 (0fe9132)
• Set finalization can get stuck in a loop, fixes #​628 (b12e5c9)
• Trigger setters with the correct context, fixes #​604 (2697430)

v7.0.6

Compare Source

Bug Fixes

• flow: added types for produceWithPatches (b355838)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.